General Data Protection Regulation – How to Comply With the New Rules
Unless you have been living in a cave, you will know that the law on data protection is changing on 25th May. A new piece of EU law, the General Data Protection Regulation, comes fully into force.
As a storm approaches, leaves, dust and litter blow around. In the same way, the flurries of emails which have arrived in our inboxes asking us all to send new data consents are a sign that the deadline for compliance with the GDPR is soon upon us.
Although time is short - there are only 4 weeks to go - and though there is plenty to do, it will still be possible to get your business in good shape by the deadline if you get weaving.
Firstly, you need to make sure that your approach to the security of data is modern and up-to-date. Some people think that Mark Zuckerberg does not think that personal privacy should even be a thing, and if they are right you need to follow the lead of Angela Merkel, who loves confidentiality and hates snooping.
Secondly, look at the Information Commissioner's website and go through the 12-step to-do list which you will find there. Work through that list carefully and conscientiously, using liberal amounts of tea and biscuits if the going gets a little heavy.
One of the first steps on the to-do list is to make sure that the people who are in charge of your organisation know that preparations for the GDPR need to be made.
Next, you may want to consider all the data your business holds on identifiable living people. Organise it on a piece of paper into types, eg customer lists; marketing lists; staff records.
Now think, in relation to each type of data: what is the basis on which you are holding it? What makes you think you are entitled to do so? There are 6 of these bases under the Regulation. Only 1 of them is that you have the consent of the person. You don’t need consent in every case, and you may for example be holding the data because you are carrying out a contract with that individual. This applies eg to employment files for your staff.
There are several more steps you need to work through. You will for instance need to review all your standard terms, conditions and contracts with third parties including website users, to ensure that those terms say the right things about the data you will be holding, processing and sharing. If you get stuck as you work through the list then contact your solicitor for advice.
The start of the GDPR comes at just the right moment. Although it was drafted a long time ago, it is only in the last few weeks that much of the world has really begun to wake up to the important issues of data security which the Regulation is designed to address. Make sure that when the GDPR train leaves, you are on board: anyone left on the platform will unfortunately be dealt with severely, so be certain that it isn’t you.
For more articles related to this topic click here.